The Windows Kerberos client calls AcquireCredentialsHandle with a populated SEC_WINNT_AUTH_IDENTITY even when the user provides no password. In some customer setups, AcquireCredentialsHandle returns SEC_E_NO_CREDENTIALS as a result because the mongo client is asking for Windows to return something other then the default credentials.
While I cannot repro this issue locally, we have confirmed with the customers that if AcquireCredentialsHandle is called without SEC_WINNT_AUTH_IDENTITY, then clients can successfully connect. Both a patched shell and the node.js driver can successfully connect in these cases.
The fix is to not pass SEC_WINNT_AUTH_IDENTITY to AcquireCredentialsHandle unless the user specifies a password.